US 7065210 B1 Abstract A cryptographic communications method based on ID-NIKS, wherewith mathematical structures are minimized, the collusion problem can be circumvented, and building the cryptosystem is simplified. A plurality of centers are provided for distributing a plurality of secret keys to a plurality of entities, respectively. Each secret key is unique to each entity. Information specifying the entities (entity ID information) is divided into a plurality of pieces or segments. All secret keys produced for the pieces of entity ID information are distributed to the entities. Using a component contained in the secret key peculiar to itself, each entity generates a common key to be shared by another entity. This component corresponds to a piece of ID information of another entity.
Claims(15) 1. A cryptographic communications method for communications of information between entities wherein a plurality of centers are provided, each of which generates secret keys peculiar to the entities using divided pieces of information resulting from division of information specifying each of the entities, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; one entity generates a first common key using a first component contained in at least one secret key generated by at least one of the plurality of centers, the secret key being peculiar to the one entity, encrypts plaintext to ciphertext using the first common key and sends the ciphertext to another entity, the first component corresponding to one or more of the divided pieces of information specifying said another entity; and said another entity generates a second common key identical to the first common key using a second component contained in secret keys peculiar to the another entity sent from said centers, and decrypts said ciphertext to the original plaintext using the second common key, the second component corresponding to one or more of the divided pieces of information specifying the one entity.
2. A cryptographic communications method for communicating information between entities wherein:
secret keys peculiar to said entities are sent from a center to said entities;
one entity encrypts plaintext to ciphertext using a first common key derived from a first secret key peculiar to the one entity sent from said center and sends the ciphertext to another entity;
said another entity decrypts said ciphertext to the original plaintext using a second common key identical to the first common key, the second common key being derived from a second secret key peculiar to said another entity sent from said center, characterized in that;
a plurality of said centers are deployed;
each of said plurality of centers generates secret keys peculiar to said entities by adding random numbers peculiar to said entities to divided pieces of information resulting from division of information specifying each of said entities, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; and
each of said entities generates a common key using a component, contained in the secret key peculiar to that selfsame entity, corresponding to one or more of the divided pieces of information obtained from each of said plurality of centers which specify an opposite entity.
3. The cryptographic communications method according to
where
vector s
_{ij }is a secret key corresponding to j'th piece of divided information specifying entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th piece of divided information specifying entity i;P is a prime number;
K is number of divisions in the information specifying entity i;
g is primitive element for GF (P);
H
_{j }is a symmetrical 2^{M}×2^{M }matrix made up of random numbers;M is size of divisions in the information specifying entity i; and
α
_{ij }is a personal secret random number for entity i (where α_{i1 }. . . α_{iK}≡1 (mod P−1)).4. The cryptographic communications method according to
where
K
_{im }is common key generated by one entity i for another entity m; andvector s
_{ij }[vector I_{ij}] is a component contained in secret key vector s_{ij }of entity i, corresponding to divided piece of information specifying entity m.5. A cryptographic communications system for reciprocally performing, between a plurality of entities, encrypting processing for encrypting plaintext that is information to be sent into ciphertext and decrypting processing for decrypting ciphertext so sent back into original plaintext; comprising:
a plurality of centers that generate secret keys peculiar to said entities using pieces of information resulting from division of information specifying each of said entities and that sends said secret keys to said entities, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; and
a plurality of entities each of which generates a common key employed mutually in said encryption and decryption processing when communicating with another entity, using a component corresponding to a divided specified information to each entity, contained in own secret key sent from the centers, the component further corresponding to one or more pieces of information specifying said another entity.
6. A cryptographic communications method for communications of information between entities wherein a plurality of centers are provided, each of which generates secret keys peculiar to the entities using divided specifying information resulting from division of information specifying each of the entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; one entity generates a first common key using a first component contained in secret keys peculiar to the one entity sent from the centers, encrypts plaintext to ciphertext using the first common key and sends the ciphertext to another entity, the first component corresponding to one or more of the divided pieces of information specifying said another entity; and said another entity generates a second common key identical to the first common key using a second component contained in secret keys peculiar to the another entity sent from said centers, and decrypts said ciphertext to the original plaintext using the second common key, the second component corresponding to one or more of the divided pieces of information specifying the one entity; secret keys for first block of divided specifying information have a multi-layer structure; and secret keys for remaining blocks of divided specifying information have a single-layer structure.
7. A secret key generation method for generating secret keys peculiar to entities using divided specifying information resulting from division of information specifying said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, each entity generating a common key by using a component corresponding to the divided specifying information of another entity, wherein:
computation formulas for generating said secret keys are as follows:
where
vector s
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
α
_{i }is a personal secret random number for entity i (where gcd (α_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
β
_{ij }is a personal secret random number for entity i (where β_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
vector g
_{it }is a secret key for 1st block of specifying information for entity i (t=0, 1, 2, . . . , T);T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, then the expressions B=c
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μν})(ii) B=(b
_{μν})(iii) b
_{μν}=c^{a} _{μν} (iv) b
_{μν}=a_{μν} ^{c}.8. An encryption method wherein:
secret keys peculiar to entities are generated using divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, each entity generating a common key by using a component corresponding to the divided specifying information of another entity;
plaintext is encrypted to ciphertext at one entity using a common key generated using a component contained in the secret key peculiar to the one entity, the component corresponding to divided specifying information for another entity that is a destination of said ciphertext; and
computation formulas for generating said secret keys peculiar to said entities are as follows:
where
vector s
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
α
_{i }is a personal secret random number for entity i(where gcd (α
_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
β
_{ij }is a personal secret random number for entity i(where β
_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
vector g
_{it }is a secret key for 1st block of specifying information for entity i (t=0, 1, 2, . . . , T);T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=c
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μν})(ii) B=(b
_{μν})(iii) b
_{μν}=c^{a} _{μν} (iv) b
_{μν}=a_{μν} ^{c}.9. The encryption method according to
where
g
_{tim }(=vector g_{it }[vector I_{m1}]) is a component corresponding to vector I_{m1 }for entity m, selected from own vector g_{it }for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);x
_{lim}=vector S_{il }[vector I_{ml}];x
_{jim }(=vector s_{ij }[vector I_{mj}]) is a component corresponding to vector I_{mj }for entity m, selected from own vector s_{ij }for j'th block of information specifying entity i (j=2, 3, . . . , K);K
_{im }is a common key generated by one entity i for another entity m; andy
_{im }is sum of (K-1) components x_{jim }(j=2, 3, . . . , K), that is, y_{im}=x_{2im}+x_{3im}+ . . . +x_{Kim}.10. A cryptographic communications method for communications of information between entities, wherein
a plurality of centers are deployed, each of which generates secret keys peculiar to said entities using divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, and sends the secret keys to the entities respectively;
one entity generates a first common key using a first component contained in secret keys peculiar to the one entity sent from the centers, encrypts plaintext to ciphertext using the first common key, and sends the ciphertext to said another entity, the first component corresponding to divided specifying information for another entity;
said another entity generates a second common key identical to the first common key using a second component contained in secret keys peculiar to said another entity sent from the centers, and decrypts said ciphertext using the second common key, the second component corresponding to divided specifying information for the one entity; and
computation formulas for generating said secret keys at said centers are as follows:
where
vector s
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
α
_{i }is a personal secret random number for entity i (where gcd (α_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
β
_{ij }is a personal secret random number for entity i (where β_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
vector g
_{it }is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=c
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μ} _{ y })(ii) B=(b
_{μ} _{ y })(iii) b
_{μ} _{ y }=c^{a} _{μ} _{ y } (iv) b
_{μ} _{ y }=a_{μ} _{ y }c.11. The cryptographic communications method according to
where
g
_{tim}(=vector g_{it }[vector I_{m1}]) is a component corresponding to vector I_{m1 }for entity m, selected from own vector g_{it }for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);x
_{lim}=vector s_{il }[vector I_{ml}];x
_{jim }(=vector s_{ij }[vector I_{mj}]) is a component corresponding to vector I_{mj }for entity m, selected from own vector s_{ij }for j'th block of information specifying entity i (j=2, 3, . . . , K);K
_{im }is a common key generated by one entity i for another entity m; andy
_{im }is sum of (K-1) components x_{jim }(=2, 3, . . . , K), that is, y_{im}=x_{2im}+x_{3im}+ . . . +x_{Kim}.12. A common key generator provided at entities in a cryptographic communications system for generating a common key to be used in processing to encrypt plaintext to ciphertext and in processing to decrypt ciphertext back to plaintext, comprising:
storage means for storing secret keys peculiar to said entities produced, according to computation formulas given below, for divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, each entity generating a common key by using a component corresponding to the divided specifying information of another entity;
selection means for selecting components corresponding to divided specifying information for opposite entities to be communicated with, from the secret keys stored; and
means for generating said common keys, according to computation formulas given below, using said components so selected:
where
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
α
_{i }is a personal secret random number for entity i (where gcd (α_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
β
_{ij }is a personal secret random number for entity i (where β_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
vector g
_{it }is a secret key for 1st block of information specifying entity i (t=0, 1, 2 . . . , T);T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=c
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μν})(ii) B=(b
_{μν})(iii) b
_{μν}=c^{a} _{μν} (iv) b
_{μν}=a_{μν} ^{c} where
g
_{tim }(=vector g_{it }[vector I_{m1}]) is a component corresponding to vector I_{m1 }for entity m, selected from own vector g_{it }for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);x
_{lim}=vector s_{il }[vector I_{ml}];x
_{jim }(=vector s_{ij }[vector I_{mj}]) is a component corresponding to vector I_{mj }for entity m, selected from own vector s_{ij }for j'th block of information specifying entity i (j=2, 3, . . . , K);K
_{im }is a common key generated by one entity i for another entity m; andy
_{im }is sum of (K-1) components x_{jim }(j=2, 3, . . . , K), that is, y_{im}=x_{2im}+x_{3im}+ . . . +x_{Kim}.13. A cryptographic communications system for reciprocally performing, between a plurality of entities, encryption processing for encrypting plaintext that is information to be sent into ciphertext and decryption processing for decrypting ciphertext so sent back into original plaintext, comprising:
a plurality of centers each of which generates secret keys peculiar to said entities, according to computation formulas given below, using divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, and sends said secret keys to said entities; and
a plurality of entities each of which generates a common key mutually employed in said encryption and decryption processing when communicating with another entity, according to computation formulas given below, using a component contained in own secret key sent from said centers, the component corresponding to divided specifying information for said another entity:
where
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
_{i }is a personal secret random number for entity i (where gcd (α_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
_{ij }is a personal secret random number for entity i (where β_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
vector g
_{it }is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);T is degree of exponent portion; and
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μν})(ii) B=(b
_{μν})(iii) b
_{μν}=c^{a} _{μν} (iv) b
_{μν}=a_{μν} ^{c} where
g
_{tim }(=vector g_{it }[vector I_{m1}]) is a component corresponding to vector I_{m1 }for entity m, selected from own vector g_{it }for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);x
_{lim}=vector s_{il }[vector I_{ml}];_{jim }(=vector s_{ij }[vector I_{mj}]) is a component corresponding to vector I_{mj }for entity m, selected from own vector s_{ij }for j'th block of information specifying entity i (j=2, 3, . . . , K);K
_{im }is a common key generated by one entity i for another entity m; andy
_{im }is sum of (K-1) components x_{jim }(j=2, 3, . . . , K), that is, y_{im}=x_{2im}+x_{3im}+ . . . +x_{Kim}.14. A computer readable recording medium embodied in a tangible physical object for storing a program that generates at entities involved in communications a common key mutually used in processing to encrypt plaintext to ciphertext and in processing to decrypt said ciphertext back to said plaintext in a cryptographic communications system, comprising:
first program code means for causing said computer to select a component corresponding to divided specifying information of one entity that is a ciphertext recipient from a secret key peculiar to another entity that is a ciphertext sender, according to computation formulas given below, for each of divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information allowing a diminished size of the secret key; and
second program code means for causing said computer to generate said common key, according to computation formulas given below, using said components selected:
where
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
_{i }is a personal secret random number for entity i (where gcd (α_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
_{ij }is a personal secret random number for entity i (where β_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
vector g
_{it }is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);T is degree of exponent portion; and
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μν})(ii) B=(b
_{μν})(iii) b
_{μν}=c^{a} _{μν} (iv) b
_{μν}=a_{μν} ^{c} where
_{tim }(=vector g_{it }[vector I_{m1}]) is a component corresponding to vector I_{m1 }for entity m, selected from own vector g_{it }for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);x
_{lim}=vector s_{il}[vector I_{ml}];_{jim }(=vector s_{ij }[vector I_{mj}]) is a component corresponding to vector I_{mj }for entity m, selected from own vector s_{ij }for j'th block of information specifying entity i (j=2, 3, . . . , K);K
_{im }is a common key generated by one entity i for another entity m; and_{im }is sum of (K-1) components x_{jim }(j=2, 3, . . . , K), that is, y_{im}=x_{2im}+x_{3im}+ . . . +x_{Kim}.15. A computer readable program embodied in a tangible physical object for generating at entities involved in communications a common key mutually used in processing to encrypt plaintext to ciphertext and in processing to decrypt said ciphertext back to said plaintext in a cryptographic communications system, comprising:
first code segment for causing a computer to select a component corresponding to divided specifying information of one entity that is a ciphertext recipient from a secret key peculiar to another entity that is a ciphertext sender, according to computation formulas given below, for each of divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information allowing a diminished size of the secret key; and
second code segment for causing said computer to generate said common key, according to computation formulas given below, wherein said computer generates said common keys by using a component corresponding to the divided specifying information of another computer, using said components selected:
where
_{ij }is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)[vector I
_{ij}] is j'th divided specifying information for entity i;vector 1 is a vector of dimension K wherein all components are 1;
H
_{j }is a symmetrical 2^{Mj}×2^{Mj }matrix made up of random numbers;M
_{j }is size of j'th divided specifying information for entity i;K is number of block divisions in information specifying entity i;
_{i }is a personal secret random number for entity i (where gcd (α_{i}, λ(N))=1 and λ(·) is Carmichael function);N is such that N=PQ (where P and Q are prime);
_{ij }is a personal secret random number for entity i (where β_{i1}+β_{i2}+ . . . +β_{iK}=λ(N));g is maximum generating element with modulo N;
_{it }is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);T is degree of exponent portion; and
^{A }and B=<A>^{c }represent (iii) and (iv) below, respectively(i) A=(a
_{μν})(ii) B=(b
_{μν})(iii) b
_{μν}=c^{a} _{μν} (iv) b
_{μν}=a_{μν} ^{c} where
_{tim }(=vector g_{it }[vector I_{m1}]) is a component corresponding to vector I_{m1 }for entity m, selected from own vector g_{it }for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);x
_{lim}=vector s_{il }[vector I_{ml}];_{jim }(=vector s_{ij }[vector I_{mj}]) is a component corresponding to vector I_{mj }for entity m, selected from own vector s_{ij }for j'th block of information specifying entity i (j=2, 3, . . . , K);K
_{im }is a common key generated by one entity i for another entity m; andy
_{im }is sum of (K-1) components x_{jim }(j=2, 3, . . . , K), that is, y_{im}=x_{2im}+x_{3im}++. . . x_{Kim}.Description 1. Field of the Invention This invention relates to a secret key generation method for generating secret keys peculiar to entities, to an encryption method for encrypting information so that it will be unintelligible to any but an authorized party, and to a cryptographic communications method which performs communications with ciphertext. 2. Description of the Related Art In today's world, characterized by sophisticated information utilization, important business documents and image information are transmitted and processed in the form of electronic information over an infrastructure of computer networks. By its very nature, electronic information can be easily copied, making it extremely difficult to distinguish between the copy and the original, and information security has become a very serious problem. The realization of computer networks which support “shared computer resources,” “multi-access,” and “broad-area implementation” is particularly indispensable to the establishment of a high-level information society. However, that very realization involves aspects which are inconsistent with the security of information exchanged between authorized parties. An effective technique for eliminating that inconsistency is encryption technology, which up until now, in the course of human history, has been primarily used in the fields of military operations and foreign diplomacy. Cryptography is the process of exchanging information so that its meaning cannot be understood by anyone other than the authorized parties. In cryptographic operations, the conversion of the original text (plaintext) that anyone can understand to text (ciphertext) the meaning of which cannot be understood by a third party is called encryption, and the restoration of the ciphertext to plaintext is called decryption. The overall system wherein this encryption and decryption are performed is called a cryptosystem. In the processes of encryption and decryption, respectively, secret information called encryption keys and decryption keys are employed. A secret decryption key is necessary at the time of decryption, wherefore only a party knowledgeable of that decryption key can decrypt the ciphertext. Accordingly, the confidentiality of the information is maintained by the encryption. The encryption key and decryption key may be the same or they may be different. A cryptosystem wherein both keys are the same is called a common key cryptosystem, and the DES (Data Encryption Standards) adopted by the Bureau of Standards of the U.S. Department of Commerce is a typical example thereof. Conventional examples of such common key encryption schemes can be divided into the following three types. (1) Type 1 Methods wherewith all common keys to be shared with possible parties in cryptographic communications are held in secret. (2) Type 2 Methods wherewith keys are mutually shared by a preparatory communication each time cryptographic communications are conducted (including Diffie-Hellman-based key sharing scheme, key distribution scheme based on public key schemes, etc.). (3) Type 3 Methods wherewith disclosed identification information (ID information)) that specifies an individual, such as user (entity) name and address, etc., is used, and both the sending entity and receiving entity independently generate the same common key without preparatory communications (including KPS (key predistribution systems), ID-NIKS (ID-based non-interactive key sharing schemes), etc.). Such conventional methods as seen in these three types of schemes are subject to the problems described below. With method 1, since all of the common keys are stored, this scheme is unsuitable for a network society wherein an unspecified large number of users become entities and conduct cryptographic communications. With method 2, there is a problem in that preparatory communications are required for key sharing. Method 3 is a convenient method because it requires no preparatory communications, and a common key with any opposite party can be generated using the disclosed ID information of the opposite party together with characteristic secret parameters distributed beforehand from a center. Nevertheless, this scheme is subject to the following two problems. Firstly, the center must become a “big brother” (creating a key escrow system wherein the center holds the secrets of all of the entities). Secondly, there is a possibility that some number of entities could collude to compute the center secrets. In the face of this collusion problem, many innovative techniques have been devised to circumvent the problem by way of computation volume, but a complete solution is very difficult. The difficulties of resolving this collusion problem arise from the fact that the secret parameters based on the ID information form dual structures comprising center secrets and personal secrets. With method 3, a cryptosystem is configured using the disclosed parameters of the center, the disclosed ID information of the individual entities, and the two types of secret parameters for the center and entities. Not only so, but it is necessary also to configure such that center secrets will not be revealed even if the entities compare the personal secrets distributed to each. Accordingly, there are many problems that must be resolved before this cryptosystem can be actually realized. It is an object of the present invention to provide a secret key generation method, encryption method, and cryptographic communications method based on an ID-NIKS, wherewith specifying information (ID information) is divided into a plurality of portions, and all secret keys based on the divided specifying information are distributed to entities from each of a plurality of centers, whereby it is possible to minimize the mathematical structures, circumvent the collusion problem, and facilitate the construction of the cryptosystem. Another object of the present invention is to provide a secret key generation method, encryption method, and cryptographic communications method that are more highly resistant to random number substitution attack. According to a first aspect of the present invention, there is provided a secret key generation method for generating secret keys peculiar to entities that are to be sent from a center to the entities, characterized in that the secret keys peculiar to the entities are generated using divided specifying information resulting from the division of information specifying the entities. According to a second aspect of the present invention, there is provided an encryption method wherein secret keys peculiar to entities are sent to the entities from the center respectively, and an entity encrypts plaintext to ciphertext using a secret key peculiar to that entity sent from the center, characterized in that the secret keys peculiar to the entities are generated using divided specifying information resulting from the division of information specifying the entities, and plaintext is encrypted to ciphertext at one entity that is a ciphertext sender using a common key generated from a component contained in its own secret key, the component corresponding to the divided specifying information of another entity that is a destination of the ciphertext. According to a third aspect of the present invention, there is provided a cryptographic communications method for communicating information between entities, wherein one entity encrypts plaintext to ciphertext using a first common key derived from a first secret key peculiar to that entity sent from a center and sends the ciphertext to another entity (recipient), and the recipient decrypts the ciphertext to the plaintext using a second common key identical to the first common key, the second common key being derived from a second secret key peculiar to the recipient sent from the center, characterized in that a plurality of the centers are deployed, each of the centers generates secret keys peculiar to the entities using divided specifying information resulting from the division of information specifying the entities, and each of the entities generates the common key using a component, contained in its own secret key, corresponding to the divided specifying information of an opposite entity. The reason why the various cryptosystems based on entity specifying information proposed for the purpose of resolving the collusion problem have been unsuccessful lies in excessively seeking mathematical structures to provide innovative techniques for preventing center secrets from being deduced from entity collusion information. When the mathematical structures are too complex, the method of demonstrating safety becomes very difficult. In the present invention, therefore, the mathematical structures are held to a bare minimum by dividing entity specifying information into a plurality of portions and distributing all the secret keys for each of the divided specifying information to the entities. In the present invention, a plurality of centers are deployed, and each center generates a secret key corresponding to one unit (or piece) of divided specifying information for one entity. Accordingly, no single center holds all of the entity secrets and hence no center becomes a “big brother.” Also, because the mathematical structures are held down to a minimum, circumvention of the collusion problem is easily realized and the cryptosystem is also simple to implement. Furthermore, the secret keys peculiar to one entity for that entity to generate a common key have been sent from the centers and are stored from the start in table form, wherefore the time required for common key generation can be significantly shortened. According to a fourth aspect of the present invention, there is provided a secret key generation method for generating secret keys specific to entities using divided specifying information resulting from the division of information specifying the entities into a plurality of blocks, characterized in that the secret key for a first block of divided specifying information has a multi-layer structure and each of the secret keys for the remaining blocks of divided specifying information has a single-layer structure. According to a fifth aspect of the present invention, there is provided an encryption method wherein secret keys peculiar to entities are generated using divided specifying information resulting from the division of information specifying the entities into a plurality of blocks, plaintext is encrypted to ciphertext using a common key generated using a component, contained in the secret key, corresponding to the divided specifying information for an opposite entity to which the ciphertext is to be sent, characterized in that the secret key for a first block of divided specifying information has a multi-layer structure, and each of the secret keys for the remaining blocks of divided specifying information has a single-layer structure. According to a sixth aspect of the present invention, there is provided a cryptographic communications method for communicating information between entities, wherein a plurality of centers are deployed, each of which generates secret keys peculiar to the entities using divided specifying information resulting from the division of information specifying the entities into a plurality of blocks, one entity generates a first common key using a first component contained in secret keys peculiar to that entity sent from the centers and corresponding to the divided specifying information of another entity (recipient), encrypts plaintext to ciphertext using the first common key, and sends the ciphertext to the recipient, the recipient generates a second common key identical to the first common key, using a second component contained in secret keys peculiar to the recipient sent from the centers and corresponding to the divided specifying information of the ciphertext sender, and decrypts the ciphertext to the original plaintext using the second common key, the secret key for a first block of divided specifying information has a multi-layer structure, and the secret keys for the remaining blocks of divided specifying information have a single-layer structure. The present invention is configured in such a manner that the common key can only be derived after the computation for all blocks is complete, and a divided block of information specifying a specific entity cannot be attacked independently, whereupon random number substitution attack can be circumvented. The term “recording medium” or “computer usable (or readable) medium” in this specification includes any physical object in which a program to be executed by CPU or the like is stored. For example, the “recording medium” includes a floppy disc, CD-ROM, hard disk drive, ROM, RAM, optical recording medium such as DVD, photo-magnetic recording medium such as MO, magnetic recording medium such as magnetic tape, and semiconductor memory such as IC card and miniature card. A data signal embodied in a carrier wave may be the computer readable medium. Embodiments of the present invention are now described. These centers A first embodiment that is a basic scheme of the present invention is described first. Preparatory Processing at Centers The centers
ID vectors that are specifying information indicating the names and addresses of entities are made L-dimension binary vectors, and each of the ID vectors is divided into K blocks (each has a block size M) as diagrammed in Entity Registration Processing: When each of the centers
However, when g is a scalar, and A and B are matrixes, the representation B=g Processing for Generating Common Keys Between Entities: Entity i selects from its own secret key vectors s
Next, the communication of information between entities in the cryptosystem described above is described. A secret key generator Entity a is provided with a memory Entity b, meanwhile, is provided with a memory When information is to be sent from entity a to entity b, first, the secret key vectors s The ciphertext C sent over the communication path In the scheme of the present invention, the secret key vectors peculiar to the entities are stored beforehand in the memories of the entities so that a shorter time is required to generate the common keys. The safety provided by the scheme of the present invention is now discussed. It is known that one of the conditions necessary to a safe ID-NIKS is the inability of separating the secret key generating functions and key sharing functions in polynomial time. A fact that the scheme of the present invention satisfies this necessary condition is described below. Secret Key Generating Function: The scheme of the present invention has a total of K secret key generating functions as indicated in formulas 5 and 6 below.
If H is an arbitrary symmetrical matrix, then the referencing function [·] is clearly indivisible, as shown in formulas 7 and 8 below.
Thus, the K secret key generating functions represented in formulas 5 and 6 are indivisible, as shown in formula 9 below.
Key Sharing Function: The key sharing function in the scheme of the present invention is represented in formula 10 below.
As in the case of the secret key generating functions, the key sharing function represented in formula 10 is indivisible, as shown in formula 11 below.
Attacks for breaking cryptosystems by the collusion of an indefinite number of entities (hereinafter “non-corrupting collusion”) has been debated for quite some time. At the same time, attacks conducted by a smaller number of collaborators wherein only entities necessary for the attack are bought (hereinafter “corrupting collusion”) are also effective if a certain individual is the only target. The safety of the scheme of the present invention against such corrupting and non-corrupting collusions is now considered. Safety Against Non-Corrupting Collusion: In cases where it is possible to represent the ID vector of any entity by a linear combination of collaborator ID vectors (combination attack) and either the secret key generating function or key sharing function is divisible in polynomial time, it is possible to counterfeit the secret keys of other entities from the secret keys of the collaborators (separation attack). Such an attack is known as a linear attack. In the scheme of the present invention, the ID vector of any entity can be represented as a linear combination by using the ID vectors of L collaborators who are linearly independent. That is, a combination attack by L or more entities is viable. However, because the secret key generating functions and key sharing function are indivisible functions, as noted earlier, the secret key and common key of that entity cannot be counterfeited by a separation attack even in the unlikely case where a combination attack against any entity should become viable. Therefore the linear attack does not work with the scheme of the present invention. Accordingly, in the face of a non-corrupting collusion, the scheme of the present invention has a collusion threshold (minimum number of collaborators required for combination attack) that is far higher than L. Safety Against Corrupting Collusion: In cases where an attack is made against the scheme of the present invention wherein a specific entity is targeted, a random number substitution attack like that described below is conceivable wherein all of the entities required for the attack are bought out and all of the secret keys of the bought-out entities are used. The situation is described in an example where the name is four Kanji characters (L=4×16=64 bits) so that the entity ID is easy to understand and each Kanji character is treated as 1 block. In other words, it is assumed that K=4 and M=16. A case is now considered wherein the IDs of entities Z, A, B, C, and D are set as noted below, entities A, B, C, and D are bought out, and entity Z is attacked.
The secret key of entity Z is then given as follows.
The collaborators make the following computations and counterfeit the secret key of entity Z.
It may be seen here that the counterfeited vectors s In order for this corrupting collusion attack to be viable, however, it is necessary to acquire the secret keys of a collaborator having exactly the same ID division vectors as the K number of ID division vectors of the entity targeted for attack. For some specific block, only one entity in 2 Now, in order to circumvent a random number substitution attack by corrupting collusion, it is only necessary to implement measures to prevent the division blocks from being independently attacked. In other words, it is only necessary to make it so that the random number terms disappear only after the computation of all of the blocks is complete. With this perspective, two embodiment are now described which represent improvements of the first embodiment. Another example of the present invention (2nd embodiment) is now described which is made stronger against random number substitution attack by combining a random number elimination method. Preliminary Processing at Centers As in the first embodiment, the centers
In order to employ the safety of RSA ciphers, P is set so that it is very difficult to factor P−1 into prime numbers. To do that it is only necessary to use a prime number such that P=2pq+1 (where p and q are prime). As in the first embodiment, the ID vector of each of the entities is divided into K blocks (ID division vectors) having a block size M (cf. Furthermore, as indicated in formula 12 below, a hashing function h(·) for generating a second ID vector v
Entity Registration Processing: When the centers
Processing for Generating Common Key Between Entities: Entity i uses the disclosed hashing function h (·) to derive the second ID vector for an opposite entity m, namely v
Entity i selects from its own secret key vectors s Safety Against Random Number Substitution Attack: Generally, in actual examples of the aforementioned entities A and B, we will have v
Another example (third embodiment) of the present invention is now described wherewith the personal random number elimination process is rendered complex by the addition of a constant term. Preliminary Processing at Centers As in the first embodiment, the centers
Also, as in the first embodiment, the ID vector of each entity is divided into K blocks (ID division vectors) having a block size of M (cf. Entity Registration Processing: When the centers
The third embodiment further adds K-2 personal random numbers β
Processing for Generating Common Key Between Entities: Entity i first, from the secret key vectors s
Entity i, from among the secret key vector s Safety Considerations: In this formula, if settings are made as in formula 22 below, the expression K
However, with the scheme of the present invention, the mathematical structures are held down to a minimum, and there is no structure in their variables that is separable, whereupon it becomes necessary to attack all of these variables as independent variables, thus requiring an extremely enormous number of collaborators. Even if the final block is susceptible to elimination by a random number substitution attack, the terms expressed in formula 22 must be attacked as independent variables. Thus, in the case where M=10, for example, it becomes necessary to amass 2 Although the third embodiment pertains to a case wherein a composite number N difficult of prime factoring is used as the modulus, the same thing can of course be done in the case where N=P. These centers Preparatory Processing at Centers The centers
It should be assumed that ID vectors that are specifying information indicating the names and addresses of entities are L-dimension binary vectors, and each of their ID vectors is divided into K blocks (block sizes are M
Entity Registration Processing: When the centers
Vector Next, for the 1st block, T+1 secret key vectors g
It should be assumed that when c is a scalar and A and B indicated in formulas 26 and 27 are matrixes, the expressions B=c One of the centers Processing for Generating Common Key Between Entities: Entity i, for the 1st block, selects from its own T+1 secret key vectors g
Next, entity i, for the blocks
Then, the sum y
And, by performing calculation as in formula 33 below, with modulo N, the common key K
In the formula above we assumed x In the example described in the foregoing, the size M Let us now consider the safety of the present invention against a collusive attack such as an attack against the whole cryptosystem by the collusion of a large indefinite number of entities. If the total number of entities is 1 million, then 1000000 ≈2 The communication of information between entities in the cryptosystem described in the foregoing is described next. The first of the centers The j'th center Entity a is provided with a memory Entity b is provided with a memory When information is to be sent from entity a to entity b, first, the secret key vectors g The ciphertext C sent over the channel In the above-described example, centers are deployed in a plurality, and these centers generate a plurality of keys corresponding to a plurality of units (pieces) of entity ID information respectively. In other words, each center generates a key for a certain segment of entity ID information. Therefore no single center can hold all entity secrets, and the centers cannot become “big brothers.” Also, the secret key vectors peculiar to the respective entities are stored beforehand in the memories of the entities, so the time required for generating common keys can be shortened. In A recording medium A recording medium With the present invention, as described in the foregoing, entity ID information is divided into a plurality of segments or pieces and a plurality of centers are established for these entity ID information pieces respectively such that each of the centers generates a particular key for a particular piece of entity ID information. Therefore, no single center can grasp all entity secrets or can become a “big brother.” In addition, the mathematical structures are held down to a minimum, so that it is easy both to effectively circumvent the collusion problem and to implement the cryptosystem. Furthermore, because the entities are in possession beforehand of secret keys peculiar thereto, the time required for generating common keys can be significantly shortened. With an ID-NIKS based on the third conventional method described earlier, in general, L×L symmetrical matrixes are center secrets, and a portion of that information is treated as a vector comprising L components and distributed to the entities. This scheme is very easy to implement but the collusion threshold is no more than approximately L. With the scheme of the present invention, on the other hand, a collusion threshold can be obtained which is far greater than L. With the conventional scheme, by employing 2 With the present invention, moreover, the random number terms are eliminated only after all blocks have been completely computed, wherefore divided blocks cannot be independently attacked and it is possible to circumvent random number substitution attack. The above illustrated and described secret key generation method, encryption method, cryptographic communications method, common key generator, cryptographic communications system, and recording media are disclosed in Japanese Patent Application Nos. 11-16257 and 11-59049 filed on Jan. 25, 1999 and Mar. 5, 1999 respectively, the instant application claims priority of these Japanese Applications, and the entire disclosure thereof is herein incorporated by reference. Patent Citations
Non-Patent Citations
Referenced by
Classifications
Legal Events
Rotate |